Skip to content

sql: negative scale in pgwire binary decimal format crashes node #158884

Closed
#160499
Closed
sql: negative scale in pgwire binary decimal format crashes node#158884
#160499
Assignees
dils2k
Labels
A-sql-pgcompatSemantic compatibility with PostgreSQLC-bugCode not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior.E-quick-winLikely to be a quick win for someone experienced.S-3Medium-low impact: incurs increased costs for some users (incl lower avail, recoverable bad data)T-sql-queriesSQL Queries Teambranch-release-25.4Used to mark GA and release blockers and technical advisories for 25.4branch-release-26.1Used to mark GA and release blockers, technical advisories, and bugs for 26.1target-release-26.2.0v26.1.0-prereleasev26.2.0-prerelease
@DrewKimball

Description

@DrewKimball
DrewKimball
opened on Dec 5, 2025

With the following test case in TestPGTest:

send
Parse {"Name": "s1", "Query": "SELECT $1::decimal"}
Bind {"DestinationPortal": "p1", "PreparedStatement": "s1", "ParameterFormatCodes": [1], "Parameters": [{"binary":"000100010000FFF00001"}]}
Execute {"Portal": "p1"}
Sync
----

until
ReadyForQuery
----

And running that test against an active CRDB node:

./dev test pkg/sql/pgwire -f TestPGTest/_tmp --test-args "-addr=localhost:26257 -user=root"

You can crash the node with a slice out-of-bounds panic. The crash happens because the decimal decoding logic doesn't know how to handle a negative scale (the FFF0 part).

Jira issue: CRDB-57539

Metadata

Metadata

Assignees

Labels

A-sql-pgcompatSemantic compatibility with PostgreSQLC-bugCode not up to spec/doc, specs & docs deemed correct. Solution expected to change code/behavior.E-quick-winLikely to be a quick win for someone experienced.S-3Medium-low impact: incurs increased costs for some users (incl lower avail, recoverable bad data)T-sql-queriesSQL Queries Teambranch-release-25.4Used to mark GA and release blockers and technical advisories for 25.4branch-release-26.1Used to mark GA and release blockers, technical advisories, and bugs for 26.1target-release-26.2.0v26.1.0-prereleasev26.2.0-prerelease

Type

No type

Projects

SQL Queries

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions